Vulnerability management (VM) has long been a cornerstone of an organization’s cybersecurity. Almost as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. In recent years, however, the limitations of this approach have become increasingly apparent.
In essence, vulnerability management processes remain important for identifying and remediating flaws. But with the passage of time and the development of attack paths, this approach is starting to show its age. In a recent report, How to turn vulnerability management into impact management (Gartner, How to Turn Vulnerability Management into Impact Management, Nov. 8, 2024, Mitchell Schneider et al.), we believe Gartner® is spot on with this point and demonstrates how organizations can—and must—move from a strategy focused on vulnerabilities, to a broader Exposure Management Framework (EM). We think it’s more than worth a read, and in this article we’ll look at why vulnerability management isn’t working, why it’s so important to include business context in security operations, and how organizations can better engage management with metrics that show sensitive value.
For starters, traditional vulnerability management is limited
It’s no surprise that traditional vulnerability management solutions are keeping pace with today’s cybersecurity challenges. There are several specific reasons for this; Vulnerability management is a complex task due to the wide range of stakeholders that influence and interact with them. Another key issue is simply the sheer number of vulnerabilities discovered. Without a clear way to rank them, traditional VM solutions leave security organizations with very long lists of vulnerabilities – and no clear road map for addressing them.
Risk-based vulnerability management (RBVM) tools do prioritize remediation based on how likely they are to affect your environment or context, but even with these tools, that’s nowhere near enough to significantly reduce the number of exposures you’ll need to address
The operational fatigue caused by this deprioritized mass of vulnerabilities often results in critical vulnerabilities being overlooked. These issues, although less urgent, consume valuable time and resources. It can also lead to “analysis paralysis,” where teams simply become paralyzed by the sheer number of problems they face and can’t decide where to start or how to proceed.
A traditional virtual machine also misses the mark by not including business context. This can lead to a focus on technical issues without considering how the associated vulnerabilities can impact critical business functions. Similar to analysis paralysis, this inconsistency leads to inefficient use of resources and leaves organizations unnecessarily vulnerable.
Finally, compliance-driven vulnerability assessments today are more focused on meeting regulatory requirements than improving the security posture. While these VM-driven assessments may satisfy auditors, they rarely address the real threats facing organizations.
The secret sauce: the business context
An important step in the transition to exposure management involves adding business context to each relevant security operation. This is critical to aligning cybersecurity efforts with the organization’s strategic goals. But it is also necessary for us to transform cyber security away not be perceived as a technical exercise and a prevention-oriented cost center to the side being a strategic and revenue generating factor. By doing so, we can facilitate more informed security decisions while reducing resistance from non-security stakeholders.
Aligning security goals with business priorities also minimizes friction. Instead of focusing solely on technical risks, security teams can address questions such as which assets are most critical to operations and reputation. This level of clarity helps ensure that limited resources are focused on the most significant risks. (Want to learn more about how to focus on business-critical assets? Check out our the last article (to learn how XM Cyber helps you identify the assets that are absolutely necessary for your business to function and protect them from serious risks.)
Moreover, traditional security efforts often fail because they ask the wrong questions. The wrong question is “How do I fix this vulnerability… and the next… and the next?” The right question would be, “How does this vulnerability impact profitability/product adoption/revenue streams/name your business bottom line – and should we even address it?” By asking the right questions and incorporating business context into security, we transform security from a reactive process to a proactive strategy. The move to infection control closes a glaring gap between our technical teams and business leaders because it helps us show that security initiatives are focused on the risks that matter most.
Understanding the modern attack surface
It’s no secret that the attack surface has expanded far beyond traditional IT perimeters and that this creates broader risks and challenges for security organizations. The era of “only” on-premise systems and networks is long gone – today’s attack surface spans SaaS platforms, IoT devices, hybrid and remote workforces, complex supply chains, social networks, third-party platforms, the dark web, public assets and much, much more.
Managing attack surfaces can be a daunting task for security and risk managers, especially when many of them are still poorly understood. To address these challenges, security operations managers must prioritize their efforts by identifying attack surfaces that are easy to access or contain important targets. And so moving from vulnerability management to impact management is a critical step in achieving this.
This transition begins with improved visibility of all attack surfaces in the digital infrastructure. Key steps include identifying the attack surfaces to be scoped, conducting a gap analysis to identify areas where existing technologies are deficient, and using this information to define requirements for selecting the right vendors. These actions lay the foundation for effective attack surface management.
Attracting leadership through metrics
Finally, in the highly complex cyber climate in which we operate, finding a common language to communicate with organizational leadership is critical to moving from vulnerability management to impact management.
Metrics is just such a language. It’s the best way to align cybersecurity efforts with business goals and demonstrate the tangible value of infection control. The key here is to ensure that the executives who live and breathe business results are receiving business metrics.
Metrics that reflect business-oriented information (such as reducing attack surface exposure, reducing risk to critical assets, and improving operational efficiency) bridge the gap between technical cybersecurity measures and business goals. Validated results, such as simulations of attack scenarios or demonstrable reductions in lateral movement potential, are another way to provide concrete evidence of success and increase management confidence.
As mentioned above, the closer we can tie security operations directly to business outcomes, the more likely management will view cybersecurity as a business enabler rather than a cost center. Effective metrics communication ensures buy-in, resource allocation and ongoing support for variable impact management. (To learn more about how to optimize reporting to the Board and/or management, check out this ebook.)
Bottom line
The time to move from vulnerability management to infection management is not now – it’s yesterday. A traditional virtual machine makes it difficult for organizations to prioritize what really matters and risks wasting valuable resources. The shift to impact management is more than just a natural technological evolution. It’s a mindset shift that empowers companies to focus on protecting what matters most: critical assets, business continuity, strategic business outcomes. This transition is not only about better addressing vulnerabilities, but also about building sustainable strategic defenses that ensure long-term success.
With Exposure Management, organizations can better address what really matters: protecting our critical assets, minimizing operational disruptions, and aligning cybersecurity efforts with business priorities.
Note: This article was expertly written by Shay Siksik, Senior Vice President of Customer Operations at XM Cyber.
Gartner, Inc. How to turn vulnerability management into impact management. Mitchell Schneider, Jeremy D’Hine, et al. November 8, 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the US and abroad and is used here with permission. All rights reserved.
